INDIANAPOLIS — The release of your personal health information is protected by federal law, but does that also apply to whether you’ve been vaccinated against COVID-19?
13News viewers like Lynne wrote VERIFY to ask: “Can you verify whether or not the COVID vaccine is covered by the HIPAA Act?”
The U.S. Department of Health and Human Services, the Equal Employment Opportunities Commission, the National Law Review, and Park Legal LLC.
What we found
It’s now been 25 years since Congress passed HIPAA, the Health Insurance Portability and Accountability Act of 1996. The act’s privacy rule protects your personal health information from being shared without your consent.
But it’s important to understand who is regulated by HIPAA. The law applies strictly to health-related entities, such as doctors, insurance companies, hospitals and clinics. They cannot release your protected health information without your permission, and that includes information about your vaccines. Your doctor or insurance company cannot disclose whether you have received a COVID-19 vaccine unless you authorize them to release that information.
However, HIPAA does not apply to employers. In December, the EEOC, which enforces federal workplace anti-discrimination laws, confirmed employers can ask about a worker’s vaccine status. And after analyzing the EEOC guidance, the National Law Review concluded employers can even require their workers to get the COVID-19 vaccine.
"Employers can, for the most part, ask if an employee is vaccinated because that does not fall under HIPAA,” explained Joan Antokol, a data privacy and HIPAA expert with Indianapolis-based law firm Park Legal. “An employer has an obligation to maintain and foster safety in the workplace, and they are allowed to take reasonable steps and ask reasonable questions to do that. Asking if someone has been vaccinated falls within that obligation."
For the same reasons, businesses are also allowed to ask you whether you've been vaccinated. HIPAA does not apply to airlines or grocery stores or any other companies that don’t collect your personal health care information.
Just because a business might ask you if you've been vaccinated does not mean you have to tell them. But that could come with consequences. In most places, businesses are allowed to refuse you service, as long as they are not violating federal discrimination laws. Companies must make reasonable accommodations for individuals who have certain medical disabilities or religious reasons for not getting a vaccine.
Some states, like Florida, now have executive orders that prohibit businesses from turning away customers who don’t have the COVID-19 vaccine. However, those are state rules and unrelated to HIPAA.
So are businesses and employers violating HIPAA if they ask about or mandate a COVID-19 vaccine?
We can verify that is false because most businesses and employers are not subject to that federal law at all.
Have a question or something you’d like us to fact check for you? Send us an email at firstname.lastname@example.org.